kube-proxy 部署

kube-proxy还是由我们统一颁发一个证书。


1. 创建配置文件

cat > /opt/kubernetes/cfg/kube-proxy.conf << EOF
KUBE_PROXY_OPTS="--logtostderr=false \\
--v=2 \\
--log-dir=/opt/kubernetes/logs \\
--config=/opt/kubernetes/cfg/kube-proxy-config.yml"
EOF

2. 配置参数文件

cat > /opt/kubernetes/cfg/kube-proxy-config.yml << EOF
kind: KubeProxyConfiguration
apiVersion: kubeproxy.config.k8s.io/v1alpha1
bindAddress: 0.0.0.0
metricsBindAddress: 0.0.0.0:10249
clientConnection:
  kubeconfig: /opt/kubernetes/cfg/kube-proxy.kubeconfig
hostnameOverride: k8s-master
clusterCIDR: 10.0.0.0/24
EOF
[root@k8s-master ~]# netstat -tpln | grep 10249
tcp6       0      0 :::10249                :::*                    LISTEN      1108/kube-proxy 

[root@k8s-master ~]# curl 127.0.0.1:10249/metrics

3. 生成kube-proxy.kubeconfig文件
生成kube-proxy证书:

# 切换工作目录
cd TLS/k8s

# 创建证书请求文件
cat > kube-proxy-csr.json << EOF
{
  "CN": "system:kube-proxy",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "BeiJing",
      "ST": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

# 生成证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy

ls kube-proxy*pem
kube-proxy-key.pem  kube-proxy.pem

生成kubeconfig文件:

集群参数设置

使用kubectl config这条命令生成kubeconfig证书,逐步生成kubeconfig里面的信息

生成证书的格式和家目录的config内容是一样的

[root@k8s-master ~]# cd .kube/
[root@k8s-master .kube]# ls
cache  config

这里填充了cluster的信息 

KUBE_APISERVER="https://192.168.111.3:6443"

kubectl config set-cluster kubernetes \
  --certificate-authority=/opt/kubernetes/ssl/ca.pem \
  --embed-certs=true \
  --server=${KUBE_APISERVER} \
  --kubeconfig=kube-proxy.kubeconfig



[root@localhost k8s]# kubectl config set-cluster kubernetes \
>   --certificate-authority=/opt/kubernetes/ssl/ca.pem \
>   --embed-certs=true \
>   --server=${KUBE_APISERVER} \
>   --kubeconfig=kube-proxy.kubeconfig
Cluster "kubernetes" set.


[root@localhost k8s]# cat kube-proxy.kubeconfig 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR2akNDQXFhZ0F3SUJBZ0lVY0tqQnBLWnBOWDBvd1FMZlZYYUhHMmlaYXJrd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbAphV3BwYm1jeEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByCmRXSmxjbTVsZEdWek1CNFhEVEl5TURNeU5URXhOVGd3TUZvWERUSTNNRE15TkRFeE5UZ3dNRm93WlRFTE1Ba0cKQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbGFXcHBibWN4RERBSwpCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByZFdKbGNtNWxkR1Z6Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBeUNRUlZTWmhHUnJaNEV6TjZVbGQKNE9nVFRGVDhjNU95MW1ka24wbVgxYmxDdFRGckNBZ0VQOGdyRTZGVWI1T0k5SU1na3JlUVVvSlVoTGtrVVBIaApURnBzcXA0cmgyVUlKVjJFZ3FPKzNpbUc4NWJtdjBPNE5hb3B2cThCQXZVREZKdWcxOHJYK2ZYeEx5VFE5V0tRCkpmUWNhVmQ4V2FYbWFrMHJhU0JEeDhtNUZpdjEvekV1YmlEZmVCUTJ0NFRvQllkd1k0MmpyN1k3VW95ZVExZlgKTndxUUpjTVFsS1h0c0ZwZGE5T2pycE5PcWkrZHBISXJXYkVBZGhYTkNJZy9odzBuNFJ4OTRFSU0yUVhTWUJOZApMZHpqamU4UFZPenAyVXpnYTZJZ294L3JXRVcvVnA5MTM0YlZGcU0veTJjajB6TnZzS2xJUEVnbENMUE92cUh5ClB3SURBUUFCbzJZd1pEQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkFqQWQKQmdOVkhRNEVGZ1FVSjYzTXZVSlNPbzNDendOSWdsa3dIL2ozTnM0d0h3WURWUjBqQkJnd0ZvQVVKNjNNdlVKUwpPbzNDendOSWdsa3dIL2ozTnM0d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFJdG1ha3M4cy9hYnhSc1Z5NHhmClhEVzlaeHNObFp2dzc2YnhxeTYvem56RW5UV0JyMHdpV0tmRXFtbk5xNE8rdnZxT1hVQklSMVBaamVYY3FYNlIKN2dlMWRmRGE3dVNqNFdYU2tONS9xbG5xMkNKVGxteVFKQUdHcTZpdnIzQ2ppQ0FKWlU4Z0FRTkg0Q2hJc0NlcwpXMy9HQjZ4a2xFdkkydm5pS2w4MEFxK0tXcXg2c0xCbmIrTlFiOW1zOStRN250ZDBveFBOK04wcnpOZ0JVUUwvCldsUUw0b1ZLWDN2VElqVzlEVkRrdVh0YjdzbzJkZ2JXM3FxRy9scUhDb1NYZ3c5bjdab2c0MmNqS0VOSUc5R1AKMnlWUmlMUHRjRVlOYStybXJ2SytncTZ0WWc2MTM4OXpIbXBxY0FvQW1kYVZQUTlsQzlSK1IweVNGNkZmenJmaQpJWG89Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    server: https://192.168.111.3:6443
  name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users: null

本段设置了所需要访问的集群的信息。

使用set-cluster设置了需要访问的集群,如上为kubernetes,这只是个名称,实际为--server指向的apiserver

  • --certificate-authority设置了该集群的公钥
  • --embed-certs为true表示将--certificate-authority证书写入到kubeconfig中
  • --server则表示该集群的kube-apiserver地址
  • 生成的kubeconfig 被保存到 kube-proxy.kubeconfig文件

用户参数设置  

kubectl config set-credentials kube-proxy \
  --client-certificate=./kube-proxy.pem \
  --client-key=./kube-proxy-key.pem \
  --embed-certs=true \
  --kubeconfig=kube-proxy.kubeconfig


[root@localhost k8s]# kubectl config set-credentials kube-proxy \
>   --client-certificate=./kube-proxy.pem \
>   --client-key=./kube-proxy-key.pem \
>   --embed-certs=true \
>   --kubeconfig=kube-proxy.kubeconfig
User "kube-proxy" set.


[root@localhost k8s]# cat kube-proxy.kubeconfig 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR2akNDQXFhZ0F3SUJBZ0lVY0tqQnBLWnBOWDBvd1FMZlZYYUhHMmlaYXJrd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbAphV3BwYm1jeEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByCmRXSmxjbTVsZEdWek1CNFhEVEl5TURNeU5URXhOVGd3TUZvWERUSTNNRE15TkRFeE5UZ3dNRm93WlRFTE1Ba0cKQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbGFXcHBibWN4RERBSwpCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByZFdKbGNtNWxkR1Z6Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBeUNRUlZTWmhHUnJaNEV6TjZVbGQKNE9nVFRGVDhjNU95MW1ka24wbVgxYmxDdFRGckNBZ0VQOGdyRTZGVWI1T0k5SU1na3JlUVVvSlVoTGtrVVBIaApURnBzcXA0cmgyVUlKVjJFZ3FPKzNpbUc4NWJtdjBPNE5hb3B2cThCQXZVREZKdWcxOHJYK2ZYeEx5VFE5V0tRCkpmUWNhVmQ4V2FYbWFrMHJhU0JEeDhtNUZpdjEvekV1YmlEZmVCUTJ0NFRvQllkd1k0MmpyN1k3VW95ZVExZlgKTndxUUpjTVFsS1h0c0ZwZGE5T2pycE5PcWkrZHBISXJXYkVBZGhYTkNJZy9odzBuNFJ4OTRFSU0yUVhTWUJOZApMZHpqamU4UFZPenAyVXpnYTZJZ294L3JXRVcvVnA5MTM0YlZGcU0veTJjajB6TnZzS2xJUEVnbENMUE92cUh5ClB3SURBUUFCbzJZd1pEQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkFqQWQKQmdOVkhRNEVGZ1FVSjYzTXZVSlNPbzNDendOSWdsa3dIL2ozTnM0d0h3WURWUjBqQkJnd0ZvQVVKNjNNdlVKUwpPbzNDendOSWdsa3dIL2ozTnM0d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFJdG1ha3M4cy9hYnhSc1Z5NHhmClhEVzlaeHNObFp2dzc2YnhxeTYvem56RW5UV0JyMHdpV0tmRXFtbk5xNE8rdnZxT1hVQklSMVBaamVYY3FYNlIKN2dlMWRmRGE3dVNqNFdYU2tONS9xbG5xMkNKVGxteVFKQUdHcTZpdnIzQ2ppQ0FKWlU4Z0FRTkg0Q2hJc0NlcwpXMy9HQjZ4a2xFdkkydm5pS2w4MEFxK0tXcXg2c0xCbmIrTlFiOW1zOStRN250ZDBveFBOK04wcnpOZ0JVUUwvCldsUUw0b1ZLWDN2VElqVzlEVkRrdVh0YjdzbzJkZ2JXM3FxRy9scUhDb1NYZ3c5bjdab2c0MmNqS0VOSUc5R1AKMnlWUmlMUHRjRVlOYStybXJ2SytncTZ0WWc2MTM4OXpIbXBxY0FvQW1kYVZQUTlsQzlSK1IweVNGNkZmenJmaQpJWG89Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    server: https://192.168.111.3:6443
  name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users:
- name: kube-proxy
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQzakNDQXNhZ0F3SUJBZ0lVTEpkekRDNFJKcDF6Y3haRTJmaUNWSkJ0elowd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbAphV3BwYm1jeEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByCmRXSmxjbTVsZEdWek1CNFhEVEl5TURNeU5URXpORE13TUZvWERUTXlNRE15TWpFek5ETXdNRm93YkRFTE1Ba0cKQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbGFVcHBibWN4RERBSwpCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUm93R0FZRFZRUURFeEZ6ZVhOMFpXMDZhM1ZpClpTMXdjbTk0ZVRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTHVsamJ1TDF6VTMKdmZPbmhjWERwWFpRRVpvY1Z5Y2NYTVdRWkg1RHJYRlpwR29NSmFBTjRhMm9YUnFsVWVWSGZpeWlBVU1zZm03cwp3bmFyOTFtS0d2NUEvZzlZRm5IV2h1MnUyNWRUUElRRVVpK0JkWU02aUZwV2w0UzdYT1RrYmdqUmdnTUQyckduCld6bHlyM0w0K1pCT3U2OUcydzFTdnlQaG84cU9mU0cxZTZCR1RNRUxuL0h6cUJENWVXcUlDNjdHdDU3V1h4RFIKVWErdzZTaUVrSTlCVTA5MlI2eVJRd3puamxDSGo3TVJJTXBSZzdDSmpERmdtZFRscndpZFNIOENnZnQyVkZ5NQpLejR1RU5sTER5NkdDK0hPaG5qRklRSjVXanVLRHRMSkMxc3pKRG01L0JvajZsVWIzM294V3Z4eGFvRTJPN01YCjhSdXNCRWtpY2RrQ0F3RUFBYU4vTUgwd0RnWURWUjBQQVFIL0JBUURBZ1dnTUIwR0ExVWRKUVFXTUJRR0NDc0cKQVFVRkJ3TUJCZ2dyQmdFRkJRY0RBakFNQmdOVkhSTUJBZjhFQWpBQU1CMEdBMVVkRGdRV0JCU1lRYktiNHlHRgo1dTRlamh4eldKUDVSakxtckRBZkJnTlZIU01FR0RBV2dCUW5yY3k5UWxJNmpjTFBBMGlDV1RBZitQYzJ6akFOCkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWFsWXNDZlFheEJOZU11ckRrZFZMNjk4VmxlZGRpQ2FjRGhlQWIyeGkKeW1QVUtTY3d2UEk0WW1oTVFDemhrRjd2N1BVdlVkKzFBTFNmOHRpM212Y25rREp0WFB3cXM1b3VYRE94OCs0UwpVbzVEZzd6MkcvTkU0SWpjQUtWbHNrbGdPU3V4eDBFbCtWbU1DUllMWG9yZjAyRTlIYUlHbk9rUEJBa0hrMEljCnY5YmR2YjNsalJJWndQT25tT2M4eml5YjVkZTlTNm4zaG5kRGdpR1l4SUVmNEpFQjFMME90RU9wSEl4bTQzWW4KaVA2MnVVclhuS3RxcWdNT201YWFHUEY2VGQ2RGlNSndBR2hYNUdZdERZSkc2OGhtN3ZHWmNrektTRVpVTng4ego4WDFJMC8wWkRiVWxZcWlqblF1Z3JFSXMzaVNoeU5NLzE3N2ZkRlFmTkFBWE5BPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBdTZXTnU0dlhOVGU5ODZlRnhjT2xkbEFSbWh4WEp4eGN4WkJrZmtPdGNWbWthZ3dsCm9BM2hyYWhkR3FWUjVVZCtMS0lCUXl4K2J1ekNkcXYzV1lvYS9rRCtEMWdXY2RhRzdhN2JsMU04aEFSU0w0RjEKZ3pxSVdsYVhoTHRjNU9SdUNOR0NBd1Bhc2FkYk9YS3Zjdmo1a0U2N3IwYmJEVksvSStHanlvNTlJYlY3b0VaTQp3UXVmOGZPb0VQbDVhb2dMcnNhM250WmZFTkZScjdEcEtJU1FqMEZUVDNaSHJKRkRET2VPVUllUHN4RWd5bEdECnNJbU1NV0NaMU9XdkNKMUlmd0tCKzNaVVhMa3JQaTRRMlVzUExvWUw0YzZHZU1VaEFubGFPNG9PMHNrTFd6TWsKT2JuOEdpUHFWUnZmZWpGYS9IRnFnVFk3c3hmeEc2d0VTU0p4MlFJREFRQUJBb0lCQVFDajA5eTBlMWovUzVWNgpIeTU2QldCMnRWMUkwYWw5cWhPTklZMjdkMWI4ZWFsRU5TcThYS0pHUFpKYjZ5NWZJVllWbmJQQWRCNUd0a3JwCjFTWDFkTkF3WDRudzE1VncrajEvVW9UQno1Z3NJcUdtZkQ2ZXZnSEI3WXdJQkpVTCtpdmZZeHRCaXFIckxSUkcKU2N6SWNudGc5SHlFZ1RaS29ZM2p3K0ordkh5ZmFoWmk1SDlxZWNBTFY2SlV3cldYa1dYTEhvVzdnYTIyU2RkTQpvZ0Z6MThNemlyNmlmYUhYQ1pGOUtTeWJLQXkxcXNSY2psNFVhZlgyR3R1c3o4OE1PZkJHRDFvWlM1WlhBMWFHClpON0krWmNESlFtRVBZeXNLZVgvZHZ4RG56clV6N1ZjL0RFdUpXVEJmS1BrOTliSy9QZHJjdFc4WUZrUVBuNlkKR1ZVbG1mSEpBb0dCQU9TTDQwczYvYTRvNnduK0o1YWk5UHo0NzFXdlpta2xCc1R6RmJlWXhqdDBPeC9WZmRlUgp4a1lnc3FXbEZacTRjdzd2OHFWa2VXdGhZZHc4V0ZRQ0YzSjVOSzVsNUVrYTFPRkx3L0ZYeVpqMEJ4dFk2dUtxCm05a1lVSTY5dHFtZ25rRE5LNk5GcXJmNUFzZTlmMnJZZGp3eThhRTEyOE5QRDFRWG5kN1BjSmxUQW9HQkFOSXYKOFg4SlFkZUd1b3VzbHpGY21sT0hZNy9ySUg2dm5jaVpLbGFOM2l5dU9RL2lRSUZvVlA2RmFsU3pRMUhCYWV0WAp4SkkwOE1vdk1SRURSN0czUHZrRTYzaW1RRnR3bUJIakwvYVdHQXJ4NFhjekxhTStMRFROMmdpa0dZQ3ZTLzBIClY2M2M3MUVnazh6eEJlbGQ0S2dCbzZWQklBeTlxVCtPenBCSlI2YWpBb0dBVDlMMEhsQ0tUZ3dJbThMalBOL0oKeFptRXJsN0czQzZNZ0xtT2VrT242UmdkbG03UXR6dzVEa0ZaWkRXV3FDV0lPazFnYUpnQk9Kb1l2ZjF0dEZuTwpxckxlelpMVSt4dWVBdHFkbzJ2UUE5WW5yVXVQTG4vOFV3VUZEZllCR0puNjdCTTlESmZHbXQ4a00zTmlUNFV2Ck5yTnNaYXdVQjlGVFAwSElhQXYzL2ZVQ2dZRUFvMktoVng3YkQ2NnJVK2ZWbjRsY2JaSFErRjdONDZ5ZitrOFYKbWpLdGdnM3NUV3lTdUFWaURIZXBNQzRwSm1ReThiNUlEMThYemhMaEVWaDdZcW9QU1lPSmh6KzB4MSsrMWlqRQpIK3FNeGZWQVRtaDZFV3RDOGNrU3M2VGNMaXdWNVpyUGpWY3dzTitpQksxVzZ4RU9rWXEwcXNEMUtQSkZuaUprCmI4U0c3Z0VDZ1lFQXRGUDRaSXhSbWRreXUycDJveDVHQUlITWZKOERjMXZwUGhXcFhCeHZINWZvTmpMdW9SaHEKeForbEplMndBZytKUVBXUklTbnpyditMeHMyc2Q1cGcvRFZ3SElGb0o1ZUQrcFpqZUNlY29qcFhFWENIZXVHRAphcWMwSk9reXBkVFQvVTJRVjQ4aUdGYlhQT2ZZdEVDejlTRjVCdEd3M0gwUjJXckJUQ2hXRlBVPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=

本段主要设置用户的相关信息,主要是用户证书。如上的用户名为kube-proxy,证书为:kube-proxy.pem,私钥为:kube-proxy-key.pem。注意客户端的证书首先要经过集群CA的签署,否则不会被集群认可。此处使用的是ca认证方式,也可以使用token认证,如kubelet的 TLS Boostrap机制下的bootstrapping使用的就是token认证方式。上述kubectl使用的是ca认证,不需要token字段。 

上下文参数 

kubectl config set-context default \
  --cluster=kubernetes \
  --user=kube-proxy \
  --kubeconfig=kube-proxy.kubeconfig


[root@localhost k8s]# kubectl config set-context default \
>   --cluster=kubernetes \
>   --user=kube-proxy \
>   --kubeconfig=kube-proxy.kubeconfig
Context "default" created.

集群参数和用户参数可以同时设置多对,在上下文参数中将集群参数和用户参数关联起来。上面的上下文名称为kubenetes,集群为kubenetes,用户为kube-proxy。

[root@localhost k8s]# cat kube-proxy.kubeconfig 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR2akNDQXFhZ0F3SUJBZ0lVY0tqQnBLWnBOWDBvd1FMZlZYYUhHMmlaYXJrd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbAphV3BwYm1jeEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByCmRXSmxjbTVsZEdWek1CNFhEVEl5TURNeU5URXhOVGd3TUZvWERUSTNNRE15TkRFeE5UZ3dNRm93WlRFTE1Ba0cKQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbGFXcHBibWN4RERBSwpCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByZFdKbGNtNWxkR1Z6Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBeUNRUlZTWmhHUnJaNEV6TjZVbGQKNE9nVFRGVDhjNU95MW1ka24wbVgxYmxDdFRGckNBZ0VQOGdyRTZGVWI1T0k5SU1na3JlUVVvSlVoTGtrVVBIaApURnBzcXA0cmgyVUlKVjJFZ3FPKzNpbUc4NWJtdjBPNE5hb3B2cThCQXZVREZKdWcxOHJYK2ZYeEx5VFE5V0tRCkpmUWNhVmQ4V2FYbWFrMHJhU0JEeDhtNUZpdjEvekV1YmlEZmVCUTJ0NFRvQllkd1k0MmpyN1k3VW95ZVExZlgKTndxUUpjTVFsS1h0c0ZwZGE5T2pycE5PcWkrZHBISXJXYkVBZGhYTkNJZy9odzBuNFJ4OTRFSU0yUVhTWUJOZApMZHpqamU4UFZPenAyVXpnYTZJZ294L3JXRVcvVnA5MTM0YlZGcU0veTJjajB6TnZzS2xJUEVnbENMUE92cUh5ClB3SURBUUFCbzJZd1pEQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkFqQWQKQmdOVkhRNEVGZ1FVSjYzTXZVSlNPbzNDendOSWdsa3dIL2ozTnM0d0h3WURWUjBqQkJnd0ZvQVVKNjNNdlVKUwpPbzNDendOSWdsa3dIL2ozTnM0d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFJdG1ha3M4cy9hYnhSc1Z5NHhmClhEVzlaeHNObFp2dzc2YnhxeTYvem56RW5UV0JyMHdpV0tmRXFtbk5xNE8rdnZxT1hVQklSMVBaamVYY3FYNlIKN2dlMWRmRGE3dVNqNFdYU2tONS9xbG5xMkNKVGxteVFKQUdHcTZpdnIzQ2ppQ0FKWlU4Z0FRTkg0Q2hJc0NlcwpXMy9HQjZ4a2xFdkkydm5pS2w4MEFxK0tXcXg2c0xCbmIrTlFiOW1zOStRN250ZDBveFBOK04wcnpOZ0JVUUwvCldsUUw0b1ZLWDN2VElqVzlEVkRrdVh0YjdzbzJkZ2JXM3FxRy9scUhDb1NYZ3c5bjdab2c0MmNqS0VOSUc5R1AKMnlWUmlMUHRjRVlOYStybXJ2SytncTZ0WWc2MTM4OXpIbXBxY0FvQW1kYVZQUTlsQzlSK1IweVNGNkZmenJmaQpJWG89Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    server: https://192.168.111.3:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kube-proxy
  name: default
current-context: ""
kind: Config
preferences: {}
users:
- name: kube-proxy
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQzakNDQXNhZ0F3SUJBZ0lVTEpkekRDNFJKcDF6Y3haRTJmaUNWSkJ0elowd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbAphV3BwYm1jeEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByCmRXSmxjbTVsZEdWek1CNFhEVEl5TURNeU5URXpORE13TUZvWERUTXlNRE15TWpFek5ETXdNRm93YkRFTE1Ba0cKQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbGFVcHBibWN4RERBSwpCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUm93R0FZRFZRUURFeEZ6ZVhOMFpXMDZhM1ZpClpTMXdjbTk0ZVRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTHVsamJ1TDF6VTMKdmZPbmhjWERwWFpRRVpvY1Z5Y2NYTVdRWkg1RHJYRlpwR29NSmFBTjRhMm9YUnFsVWVWSGZpeWlBVU1zZm03cwp3bmFyOTFtS0d2NUEvZzlZRm5IV2h1MnUyNWRUUElRRVVpK0JkWU02aUZwV2w0UzdYT1RrYmdqUmdnTUQyckduCld6bHlyM0w0K1pCT3U2OUcydzFTdnlQaG84cU9mU0cxZTZCR1RNRUxuL0h6cUJENWVXcUlDNjdHdDU3V1h4RFIKVWErdzZTaUVrSTlCVTA5MlI2eVJRd3puamxDSGo3TVJJTXBSZzdDSmpERmdtZFRscndpZFNIOENnZnQyVkZ5NQpLejR1RU5sTER5NkdDK0hPaG5qRklRSjVXanVLRHRMSkMxc3pKRG01L0JvajZsVWIzM294V3Z4eGFvRTJPN01YCjhSdXNCRWtpY2RrQ0F3RUFBYU4vTUgwd0RnWURWUjBQQVFIL0JBUURBZ1dnTUIwR0ExVWRKUVFXTUJRR0NDc0cKQVFVRkJ3TUJCZ2dyQmdFRkJRY0RBakFNQmdOVkhSTUJBZjhFQWpBQU1CMEdBMVVkRGdRV0JCU1lRYktiNHlHRgo1dTRlamh4eldKUDVSakxtckRBZkJnTlZIU01FR0RBV2dCUW5yY3k5UWxJNmpjTFBBMGlDV1RBZitQYzJ6akFOCkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWFsWXNDZlFheEJOZU11ckRrZFZMNjk4VmxlZGRpQ2FjRGhlQWIyeGkKeW1QVUtTY3d2UEk0WW1oTVFDemhrRjd2N1BVdlVkKzFBTFNmOHRpM212Y25rREp0WFB3cXM1b3VYRE94OCs0UwpVbzVEZzd6MkcvTkU0SWpjQUtWbHNrbGdPU3V4eDBFbCtWbU1DUllMWG9yZjAyRTlIYUlHbk9rUEJBa0hrMEljCnY5YmR2YjNsalJJWndQT25tT2M4eml5YjVkZTlTNm4zaG5kRGdpR1l4SUVmNEpFQjFMME90RU9wSEl4bTQzWW4KaVA2MnVVclhuS3RxcWdNT201YWFHUEY2VGQ2RGlNSndBR2hYNUdZdERZSkc2OGhtN3ZHWmNrektTRVpVTng4ego4WDFJMC8wWkRiVWxZcWlqblF1Z3JFSXMzaVNoeU5NLzE3N2ZkRlFmTkFBWE5BPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBdTZXTnU0dlhOVGU5ODZlRnhjT2xkbEFSbWh4WEp4eGN4WkJrZmtPdGNWbWthZ3dsCm9BM2hyYWhkR3FWUjVVZCtMS0lCUXl4K2J1ekNkcXYzV1lvYS9rRCtEMWdXY2RhRzdhN2JsMU04aEFSU0w0RjEKZ3pxSVdsYVhoTHRjNU9SdUNOR0NBd1Bhc2FkYk9YS3Zjdmo1a0U2N3IwYmJEVksvSStHanlvNTlJYlY3b0VaTQp3UXVmOGZPb0VQbDVhb2dMcnNhM250WmZFTkZScjdEcEtJU1FqMEZUVDNaSHJKRkRET2VPVUllUHN4RWd5bEdECnNJbU1NV0NaMU9XdkNKMUlmd0tCKzNaVVhMa3JQaTRRMlVzUExvWUw0YzZHZU1VaEFubGFPNG9PMHNrTFd6TWsKT2JuOEdpUHFWUnZmZWpGYS9IRnFnVFk3c3hmeEc2d0VTU0p4MlFJREFRQUJBb0lCQVFDajA5eTBlMWovUzVWNgpIeTU2QldCMnRWMUkwYWw5cWhPTklZMjdkMWI4ZWFsRU5TcThYS0pHUFpKYjZ5NWZJVllWbmJQQWRCNUd0a3JwCjFTWDFkTkF3WDRudzE1VncrajEvVW9UQno1Z3NJcUdtZkQ2ZXZnSEI3WXdJQkpVTCtpdmZZeHRCaXFIckxSUkcKU2N6SWNudGc5SHlFZ1RaS29ZM2p3K0ordkh5ZmFoWmk1SDlxZWNBTFY2SlV3cldYa1dYTEhvVzdnYTIyU2RkTQpvZ0Z6MThNemlyNmlmYUhYQ1pGOUtTeWJLQXkxcXNSY2psNFVhZlgyR3R1c3o4OE1PZkJHRDFvWlM1WlhBMWFHClpON0krWmNESlFtRVBZeXNLZVgvZHZ4RG56clV6N1ZjL0RFdUpXVEJmS1BrOTliSy9QZHJjdFc4WUZrUVBuNlkKR1ZVbG1mSEpBb0dCQU9TTDQwczYvYTRvNnduK0o1YWk5UHo0NzFXdlpta2xCc1R6RmJlWXhqdDBPeC9WZmRlUgp4a1lnc3FXbEZacTRjdzd2OHFWa2VXdGhZZHc4V0ZRQ0YzSjVOSzVsNUVrYTFPRkx3L0ZYeVpqMEJ4dFk2dUtxCm05a1lVSTY5dHFtZ25rRE5LNk5GcXJmNUFzZTlmMnJZZGp3eThhRTEyOE5QRDFRWG5kN1BjSmxUQW9HQkFOSXYKOFg4SlFkZUd1b3VzbHpGY21sT0hZNy9ySUg2dm5jaVpLbGFOM2l5dU9RL2lRSUZvVlA2RmFsU3pRMUhCYWV0WAp4SkkwOE1vdk1SRURSN0czUHZrRTYzaW1RRnR3bUJIakwvYVdHQXJ4NFhjekxhTStMRFROMmdpa0dZQ3ZTLzBIClY2M2M3MUVnazh6eEJlbGQ0S2dCbzZWQklBeTlxVCtPenBCSlI2YWpBb0dBVDlMMEhsQ0tUZ3dJbThMalBOL0oKeFptRXJsN0czQzZNZ0xtT2VrT242UmdkbG03UXR6dzVEa0ZaWkRXV3FDV0lPazFnYUpnQk9Kb1l2ZjF0dEZuTwpxckxlelpMVSt4dWVBdHFkbzJ2UUE5WW5yVXVQTG4vOFV3VUZEZllCR0puNjdCTTlESmZHbXQ4a00zTmlUNFV2Ck5yTnNaYXdVQjlGVFAwSElhQXYzL2ZVQ2dZRUFvMktoVng3YkQ2NnJVK2ZWbjRsY2JaSFErRjdONDZ5ZitrOFYKbWpLdGdnM3NUV3lTdUFWaURIZXBNQzRwSm1ReThiNUlEMThYemhMaEVWaDdZcW9QU1lPSmh6KzB4MSsrMWlqRQpIK3FNeGZWQVRtaDZFV3RDOGNrU3M2VGNMaXdWNVpyUGpWY3dzTitpQksxVzZ4RU9rWXEwcXNEMUtQSkZuaUprCmI4U0c3Z0VDZ1lFQXRGUDRaSXhSbWRreXUycDJveDVHQUlITWZKOERjMXZwUGhXcFhCeHZINWZvTmpMdW9SaHEKeForbEplMndBZytKUVBXUklTbnpyditMeHMyc2Q1cGcvRFZ3SElGb0o1ZUQrcFpqZUNlY29qcFhFWENIZXVHRAphcWMwSk9reXBkVFQvVTJRVjQ4aUdGYlhQT2ZZdEVDejlTRjVCdEd3M0gwUjJXckJUQ2hXRlBVPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=

最后使用kubectl config use-context default来使用名为kubenetes的环境项来作为配置。如果配置了多个环境项,可以通过切换不同的环境项名字来访问到不同的集群环境。

kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig


[root@localhost k8s]# kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
Switched to context "default".

 拷贝到配置文件指定路径:

cp kube-proxy.kubeconfig /opt/kubernetes/cfg/

4. systemd管理kube-proxy

cat > /usr/lib/systemd/system/kube-proxy.service << EOF
[Unit]
Description=Kubernetes Proxy
After=network.target

[Service]
EnvironmentFile=/opt/kubernetes/cfg/kube-proxy.conf
ExecStart=/opt/kubernetes/bin/kube-proxy \$KUBE_PROXY_OPTS
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
EOF

5. 启动并设置开机启动

systemctl daemon-reload
systemctl start kube-proxy
systemctl enable kube-proxy

k8s的node节点服务器重启后,启动kube-proxy发现报错

6月 19 09:57:07 node1 kube-proxy[17770]: E0619 09:57:07.022125   17770 proxier.go:1319] Failed to delete stale service IP 10.254.0.2 connections, error: error deleting connection tracking state for UDP service IP: 10.254.0.2, error: error looking for path of conntrack: exec: "conntrack": executable file not found in $PATH

yum -y install conntrack 后重启kube-proxy,问题解决

你可能感兴趣的:(Kubernetes,kube-proxy,kubernetes)